The DevOps movement (and its offshoot DevSecOps) aims to improve the frequency and quality of software deployments by breaking down silos between teams. When the walls between teams disappear we often see tasks ‘shift left,’ or move earlier in the development cycle so developers can understand and address production concerns as the code is being written. When we talk about security shifting left it means that teams enhance security practices throughout the SDLC.
(As an aside, Dave Stanke from Google used a delightful phrase when discussing the 2021 State of DevOps Report on a panel with my colleague Kelly Fitzpatrick and Tracy Miranda of the CD Foundation. Instead of using the phrase ‘shift left’ Stanke instead talked about ‘smearing left.’ I love this phrase because it so evocatively demonstrates that security still exists and originates with specialist security teams, but the change is in wanting to spread it all the way through the SDLC.)
DevOps (and DevSecOps) is a culture change, and the change must be bi-directional. Security teams need to have a stake at the table earlier. They cannot merely be a review process before production, and they need to be able to have input at the design phase of an application. Similarly, this culture change cannot exist without supportive tools for developers. An organization cannot ask developers to address an increasingly large part of the SDLC without also providing the tools to support them.
And this means: developer experience is a security issue.
If we are asking developers to be increasingly responsible for building secure apps, we have to make it as frictionless as possible for them to do so. We need platforms and software with baked in security defaults. We need to embed principles of least privilege. We need guardrails not gates. We need a focus on usability and speed. We need reduced configuration areas exposed to developers. We need automation. We need developer experience.
If developers have an increased responsibility for security, then it stands to reason that the developer experience of using these security tools is an increasingly important part of building and maintaining a secure app.
Developer experience is security.
Or as it is so wonderfully put by Avi Douglen: Security at the expense of usability comes at the expense of security.
Disclaimer: The CD Foundation and Google are RedMonk clients.